From 586fb88c5faeb94e94e922f0f72f87fc442564e4 Mon Sep 17 00:00:00 2001 From: Kelsi Date: Thu, 19 Feb 2026 15:54:35 -0800 Subject: [PATCH] docs+security: sync controls and scope Warden RC4 CodeQL exception --- .github/codeql/codeql-config.yml | 7 +++++ .github/workflows/security.yml | 1 + README.md | 30 ++++++++++-------- docs/quickstart.md | 9 ++++-- docs/server-setup.md | 52 ++++++++++++++------------------ docs/status.md | 7 +++-- src/game/warden_crypto.cpp | 24 ++++++--------- 7 files changed, 68 insertions(+), 62 deletions(-) create mode 100644 .github/codeql/codeql-config.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 00000000..204abaff --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,7 @@ +name: wowee-codeql-config + +# Warden stream crypto must remain RC4 for protocol compatibility. +# Keep weak-crypto detection enabled project-wide, but exclude this one file +# so CodeQL doesn't raise an unfixable compatibility alert. +paths-ignore: + - src/game/warden_crypto.cpp diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index f2c42081..8dd2183d 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -48,6 +48,7 @@ jobs: uses: github/codeql-action/init@v3 with: languages: cpp + config-file: ./.github/codeql/codeql-config.yml - name: Build run: | diff --git a/README.md b/README.md index 14182302..85200238 100644 --- a/README.md +++ b/README.md @@ -57,13 +57,13 @@ Compatible with **Vanilla (Classic) 1.12 + TBC 2.4.3 + WotLK 3.3.5a**. All three - **Action Bar** -- 12 slots, drag-drop from spellbook/inventory, click-to-cast, keybindings - **Trainers** -- Spell trainer UI, buy spells, known/available/unavailable states - **Quests** -- Quest markers (! and ?) on NPCs and minimap, quest log, quest details, turn-in flow -- **Vendors** -- Buy and sell items, gold tracking, inventory sync +- **Vendors** -- Buy, sell, and buyback (most recent sold item), gold tracking, inventory sync - **Loot** -- Loot window, gold looting, item pickup - **Gossip** -- NPC interaction, dialogue options - **Chat** -- Tabs/channels, emotes, chat bubbles, clickable URLs, clickable item links with tooltips - **Party** -- Group invites, party list - **Warden** -- Warden anti-cheat module execution via Unicorn Engine x86 emulation (cross-platform, no Wine) -- **UI** -- Loading screens with progress bar, settings window, minimap with zoom/rotation/square mode +- **UI** -- Loading screens with progress bar, settings window, minimap with zoom/rotation/square mode, top-right minimap mute speaker, separate bag windows with compact-empty mode (aggregate view) ## Building @@ -150,10 +150,15 @@ make -j$(nproc) ### UI & Windows | Key | Action | |-----|--------| -| I | Toggle inventory | +| B | Toggle bags | +| C | Toggle character | | P | Toggle spellbook | +| N | Toggle talents | | L | Toggle quest log | +| M | Toggle world map | +| O | Toggle guild roster | | Enter | Open chat | +| / | Open chat with slash | | Escape | Close windows / deselect | ### Action Bar @@ -167,16 +172,7 @@ make -j$(nproc) | Key | Action | |-----|--------| | F1 | Performance HUD | -| F2 | Wireframe mode | -| F9 | Toggle time progression | -| F10 | Toggle celestial bodies (sun + moons) | -| F11 | Toggle procedural stars (debug mode) | -| +/- | Change time of day | -| C | Toggle clouds | -| L | Toggle lens flare | -| W | Cycle weather (None/Rain/Snow) | -| K / J | Spawn / remove test characters | -| O / P | Spawn / clear WMOs | +| F4 | Toggle shadows | ## Documentation @@ -196,6 +192,14 @@ make -j$(nproc) - [Warden Quick Reference](docs/WARDEN_QUICK_REFERENCE.md) -- Warden module execution overview and testing - [Warden Implementation](docs/WARDEN_IMPLEMENTATION.md) -- Technical details of the implementation +## Security + +- GitHub Actions runs a dedicated security workflow at `.github/workflows/security.yml`. +- Current checks include: + - `CodeQL` for C/C++ + - `Semgrep` static analysis + - Sanitizer build (`ASan` + `UBSan`) + ## Technical Details - **Graphics**: OpenGL 3.3 Core, GLSL 330, forward rendering with post-processing diff --git a/docs/quickstart.md b/docs/quickstart.md index 350b45c0..47bef9d2 100644 --- a/docs/quickstart.md +++ b/docs/quickstart.md @@ -74,12 +74,17 @@ For local AzerothCore setup, see `docs/server-setup.md`. - `Mouse`: Look/orbit camera - `Tab`: Cycle targets - `1-9,0,-,=`: Action bar slots -- `I`: Inventory +- `B`: Bags +- `C`: Character - `P`: Spellbook +- `N`: Talents - `L`: Quest log +- `M`: World map +- `O`: Guild roster - `Enter`: Chat +- `/`: Chat slash command - `F1`: Performance HUD -- `F2`: Wireframe +- `F4`: Toggle shadows ## Troubleshooting diff --git a/docs/server-setup.md b/docs/server-setup.md index 44a6b588..c185b943 100644 --- a/docs/server-setup.md +++ b/docs/server-setup.md @@ -207,7 +207,7 @@ account onlinelist server shutdown 10 # Shutdown in 10 seconds ``` -## Connecting with Wowee-Native +## Connecting with WoWee ### 1. Start the Client @@ -335,7 +335,11 @@ ifconfig | grep inet Edit `authserver.conf`: ```ini -BindIP = "" # Listen on all interfaces +# Local-only testing on the same machine: +BindIP = "127.0.0.1" + +# LAN/remote testing (listen on all interfaces): +# BindIP = "0.0.0.0" ``` Edit database: @@ -366,7 +370,8 @@ For testing with a remote server (VPS, dedicated server): **Server configuration:** ```ini # authserver.conf -BindIP = "" +# Public/remote access: +BindIP = "0.0.0.0" # Database UPDATE realmlist SET address='your.server.ip' WHERE id=1; @@ -420,27 +425,18 @@ Once connected and in-world, test client features: - **Mouse** - Look around - **Shift** - Move faster -**Rendering Features:** +**UI/Gameplay Windows:** +- **B** - Toggle bags +- **C** - Toggle character +- **P** - Toggle spellbook +- **N** - Toggle talents +- **L** - Toggle quest log +- **M** - Toggle world map +- **O** - Toggle guild roster + +**Debug Features:** - **F1** - Toggle performance HUD -- **F2** - Wireframe mode -- **F8** - Toggle water rendering -- **F9** - Toggle time progression -- **F10** - Toggle sun/moon -- **F11** - Toggle stars -- **F12** - Toggle fog -- **+/-** - Change time of day - -**Effects:** -- **C** - Toggle clouds -- **L** - Toggle lens flare -- **W** - Cycle weather (rain/snow) -- **M** - Toggle moon phases - -**Character/Buildings:** -- **K** - Spawn test character -- **O** - Spawn test WMO building -- **Shift+O** - Load real WMO from MPQ (if WOW_DATA_PATH set) -- **P** - Clear all WMOs +- **F4** - Toggle shadows ### Performance Monitoring @@ -510,10 +506,7 @@ Rate.Player.Haste = 1 ### Client Performance - Keep performance HUD (F1) enabled to monitor FPS -- Disable heavy effects if FPS drops: - - Weather (W key to None) - - Clouds (C key to disable) - - Lens flare (L key to disable) +- Reduce quality/effects from Settings if FPS drops ## Security Notes @@ -581,8 +574,9 @@ export WOW_DATA_PATH="/path/to/extracted/Data" 5. **Test Features:** - Create a character - Enter world -- Test rendering (F1-F12, C, L, W, M keys) -- Spawn objects (K, O, Shift+O, P keys) +- Test windows (`B`, `C`, `P`, `N`, `L`, `M`, `O`) +- Test vendor flow (buy, sell, buyback) +- Test quest flow (accept, progress tracking, turn-in markers) - Test movement (WASD, mouse) 6. **Stop Server (worldserver console):** diff --git a/docs/status.md b/docs/status.md index 91d45cd0..d67a931b 100644 --- a/docs/status.md +++ b/docs/status.md @@ -1,6 +1,6 @@ # Project Status -**Last updated**: 2026-02-17 +**Last updated**: 2026-02-19 ## What This Repo Is @@ -14,12 +14,13 @@ Implemented (working in normal use): - Rendering: terrain, WMO/M2 rendering, water, sky system, particles, minimap/world map, loading video playback - Character system: creation (including nonbinary gender), selection, 3D preview with equipment, character screen - Core gameplay: movement, targeting, combat, action bar, inventory/equipment, chat (tabs/channels, emotes, item links) -- Quests: quest markers (! and ?) on NPCs and minimap, quest log, accept/complete flow, turn-in +- Quests: quest markers (! and ?) on NPCs/minimap, quest log with detail queries/retry, objective tracking, accept/complete flow, turn-in - Trainers: spell trainer UI, buy spells, known/available/unavailable states -- Vendors, loot, gossip dialogs +- Vendors, loot, gossip dialogs (including buyback for most recently sold item) - Spellbook with class tabs, drag-drop to action bar, spell icons - Warden anti-cheat: full module execution via Unicorn Engine x86 emulation; module caching - Audio: ambient, movement, combat, spell, and UI sound systems +- Bag UI: separate bag windows, open-bag indicator on bag bar, optional collapse-empty mode in aggregate bag view - Multi-expansion: Classic/Vanilla, TBC, WotLK, and Turtle WoW (1.17) protocol and asset variants In progress / known gaps: diff --git a/src/game/warden_crypto.cpp b/src/game/warden_crypto.cpp index 5fc5016c..56379779 100644 --- a/src/game/warden_crypto.cpp +++ b/src/game/warden_crypto.cpp @@ -72,21 +72,9 @@ bool WardenCrypto::initFromSessionKey(const std::vector& sessionKey) { uint8_t decryptKey[16]; sha1RandxGenerate(sessionKey, encryptKey, decryptKey); - // Log derived keys - { - std::string hex; - for (int i = 0; i < 16; ++i) { - char b[4]; snprintf(b, sizeof(b), "%02x ", encryptKey[i]); hex += b; - } - LOG_INFO("Warden: Encrypt key (C→S): ", hex); - hex.clear(); - for (int i = 0; i < 16; ++i) { - char b[4]; snprintf(b, sizeof(b), "%02x ", decryptKey[i]); hex += b; - } - LOG_INFO("Warden: Decrypt key (S→C): ", hex); - } - - // Initialize RC4 ciphers + // Warden protocol compatibility note: + // Blizzard's Warden stream crypto is RC4-based; this cannot be upgraded + // without breaking protocol interoperability with supported servers. std::vector ek(encryptKey, encryptKey + 16); std::vector dk(decryptKey, decryptKey + 16); @@ -96,6 +84,12 @@ bool WardenCrypto::initFromSessionKey(const std::vector& sessionKey) { initRC4(ek, encryptRC4State_, encryptRC4_i_, encryptRC4_j_); initRC4(dk, decryptRC4State_, decryptRC4_i_, decryptRC4_j_); + // Scrub temporary key material after RC4 state initialization. + std::fill(ek.begin(), ek.end(), 0); + std::fill(dk.begin(), dk.end(), 0); + std::fill(std::begin(encryptKey), std::end(encryptKey), 0); + std::fill(std::begin(decryptKey), std::end(decryptKey), 0); + initialized_ = true; LOG_INFO("Warden: Crypto initialized from session key"); return true;